World Leader for Peace and Security Award 2017
TOOMAS HENDRIK ILVES HONORED AS WORLD LEADER FOR PEACE AND SECURITY 2017
Toomas Hendrik Ilves Honored As World Leader in Cybersecurity 2017
Toomas Hendrik Ilves served as the fourth President of Estonia from 2006 to 2016, previously served in the government as Minister of Foreign Affairs from 1996 to 1998 and again from 1999 to 2002. He was key in driving the initiatives in e-government and cyber security for which the country has been acknowledged as a world-leader.
From 1993 to 1996, Ilves served in Washington as the Ambassador of the Republic of Estonia to the United States of America and Canada. During this time he initiated with education minister Jaak Aaviksoo the Tiger Leap initiative to computerize and connect all Estonian schools online.
In 2004, Ilves was elected a Member of the European Parliament, where he was vice-president of the Foreign Affairs Committee. As an MEP, he initiated the Baltic Sea Strategy that later was implemented as official regional policy of the European Union.
Toomas Ilves was elected President of the Republic of Estonia in 2006, and was re-elected for a second term in office in 2011. In June 2017, President Ilves was awarded the Reinhard Mohn Prize entitled, “Smart Country: Connected. Intelligent. Digital.”
During his presidency, Ilves was appointed to serve in several high positions in the field of ICT in the European Union. He served as Chairman of the EU Task Force on eHealth from 2011 to 2012. From 2012 to 2014, at the invitation of the European Commission, he was Chairman of the European Cloud Partnership Steering Board. From 2014 to 2015, he was the co-chair of the advisory panel of the World Bank’s World Development Report 2016 “Digital Dividends” and since June 2014, the chair of World Economic Forum’s Global Agenda Council on Cyber Security.
Since November 2016, Ilves has co-chaired the Global Futures Council on Blockchain Technology, a working group set up by the World Economic Forum focusing on how blockchain technology can be used to improve the security of the internet.
His interest in computers started at an early age – he learned to program at the age of 13, and he has been promoting Estonia’s IT-development since the country restored its independence. During recent years, Ilves has spoken and written extensively on integration, trans-atlantic relations, e-government, cyber security and other related topics. He has published many essays and articles in Estonian and English on numerous topics ranging from Estonian language, history and literature to global foreign and security policy and cyber security.
Having realized just how important the early adoption and acquisition of digital skills were before many others did, President Ilves was named the World Leader in Cybersecurity with his contributions by the Boston Global Forum and the Michael Dukakis Institute on December 12, 2017 at Loeb House, Harvard University.
Award Ceremony Video
Award Ceremony Speech
Thank you very much. I’ll start off with the two-finger comment on […] which is just that there’s an article in Politico last week about the Russians making an offer to the US on a bilateral treaty which the US rejected of course. I mean as a European I would say yeah of course the Russians who have clearly met and meddled in Germany, UK, Spain, Italy, a world anti-doping agency, that it doesn’t really encourage us if there’s a bilateral treaty, and we’re left out to continued manipulation, but basically the US rejected it because it is kind of asymmetric, because if you already know the result of the election, so I mean what’s the meddling going to do? Anyway to get to my talk I’m gonna start talking about security, sort of from a ground up level, because I actually think that they’ll expand upon that security as at least in all post-enlightenment democracies based its approach under the [John] Locke’s model, that the individual gives up his right, Hobbesian right, to kill someone else to the state in return for security, be at your local police, your national security agencies, or internationally in the army, and that what we have done in Estonia is actually put the state at the center of the security, at the same time just lest you think we’re kind of dirige east of dirige east European government were probably far less intrusive in people’s lives than in the United States, but more broadly I think we have to rethink most aspects of our lives in looking at living in the digital age. Basically, ever since William Gibson in his Dystopian novel necromancer took Norbert Wieners term cybernetic and popular the prefix cyber. This prefix has proliferated to almost all spheres of human activity which i think is an indication of how much the digital world has permeated our lives, so we have cyberpunk, cybercrime, cyberhygiene, cyberspace, cyber–Pearl Harbor, cyber war, cyber security, and of course inevitably, cybersex. Rather than bemoan as some have the ubiquitous use of the prefix, saying it’s meaningless, I actually welcome the ubiquity to emphasize how profoundly our lives have in our societies, our nations, indeed almost all human endeavor has come to be dependent upon digital communication. So basically are we getting to the privacy of emails, from our electoral democracy to our infrastructure ride, an apartment sharing, the integrity of our financial system, banking, the ads that we see on social media, in enduring electoral campaigns. All of these are subject to manipulation and attack. All of these, with the exception of social media and the sharing economy, also existed before the digital era, but they now have all been altered by the free movement of electrons and are in completely different form which requires us to rethink much of how we do things in all other aspects and realms of human activity, and this is of course all due to the increasing power of the silicon chip, also known as Moore’s law, which doubles every year and a half even if it’s slowing down a bit because we are pushing the limits of physics, but basically the world is nonetheless completely different from the way it was 25 years ago.
And while the digital all things digital have changed beyond belief, government’s policies laws regulations actually have to keep up with this, and of course it can. When we talk about what can the government do on cybersecurity, which every government is, that’s very good, but on the other hand we actually have not looked at all the rest of life. I mean when we have events such as the 145 million adults in the United States had all of their financial records stolen, I mean that’s probably 80% of the adult population, it is completely untouched by government regulation except for the fact probably from sort of old-style rules that the management sold their stocks before informing the population, that their data had been stolen but we have we to come to terms. That is a much broader issue, and I guess most importantly if we look at it, is that at the core of our digital security, and I’m not talking about the government than the NSA and our electrical infrastructure but basically what we do online. All of us started out 35 years ago with a system that worked fine, then when there were about 3,500 academics using a network called bit net, where security relied on an email address almost always ending with atop-level domain of dot e-d-u, and these people generally did not pose a security or a criminal threat yet. Today there are 4.2 billion people online. We fear all of these things, for the cyber war, cybercrime, docs emails, but basically what we’re dealing with is that since we use bit net we’ve had 22 or 23 iterations of Moore’s Law, which means that today computers are 8.4 million times more powerful than they were when we started using this system among 3,500 active. And we also so we have an increase of roughly the same order of magnitude from 3.5 thousand people using Bitnet (3.5 or 4.2 depending who you ask) to billion people online, we’ve been very slow to realize this as Joan I pointed out in an article six years ago immediately after the Munich Security Conference. Without naming me he quoted me. I said this is the first time the Munich Security Conference has ever dealt with the issue of cybersecurity that was 2011. Up till 2011 the Munich Security Conference, the premier conference on security of the world, had not even had a single panel on the issue of cybersecurity. Now of course the Munich Security Conference has an entire separate conference on cybersecurity, but that just shows how recently this was not considered an issue now. What I’ll try to do today is try to look at cyber security in about three levels beginning with the individual, and then moving on to the state and then finally getting due to the sort of international levels, and again to reiterate my point of view is that security has been the responsibility of the state pre-digital, and it remains so today, but the state has failed to keep up in general in most places, and that this does remain a key aspect of the Lockean social contract where we do give up certain amount of certain rights in exchange for protection against sort of Hobbesian war, an all-against-all war, but we’ve gotten there within this, or in the analog or physical world, we are very slow to get there in the digital world, and ultimately I would argue that security is a political choice, based on policies laws and driving from those laws regulations. And just as we have in the physical analog world civilian control of the military as a core concept in democracies, habeas corpus laws, regulating use of guns, again when we get digital, we are fairly poor in this respect, so when we come to site or when we come to this cyber world, we I argue are too focused on the technology rather than the policies, laws, and regulations. And I say this especially now knowing the system that we have created in Estonia that actually the technology is not that advanced, but we are way ahead of everyone else when it comes to use of digital technology, and this is a function of the laws.
I should mention here that just this week in The New Yorker you will be able to read probably the best article I have ever read, and I think I’ve read every single English-language article that has ever come out on my country in digitization, but the best article that has appeared just came out yesterday. It’s in this week’s New Yorker written by a guy named Nathan Heller, and I that sort of describes the way everything works in a very nice way, so I don’t even get into that, so basically, oh and one thing I should add before I talk about what we do, there is a huge difference in this regard between what we do and I say most countries, because our focus has been always on the g-wiz aspects of technology, which became clear to me when after 25 years the dealing with digitizing my country, and it was, I mean aside the fact I was a geek once, which is always tough going politically, I moved I finally sort of finished my term.
My dream came true; I was invited to Stanford, to the mecca of innovation in IT and of course that’s where everything is in a ten-mile radius of my office. I have the headquarters of Apple, Google, Facebook, Tesla. I mean you’ve keeps going on and on and on I guess only Microsoft is really missing, and on top of that three miles away from me is Sand Hill Road which basically funds all of this enormous innovation. Yet when I went to register my daughter to go to school, I had to bring an electricity bill to prove that I live there, and then thereafter she had to take an ESL exam because she’s gone to school in Estonia, and she placed that of taking sort of a catch-up course, and she had to get permission. I had to give her permission to enter an irregular English class, so I had to sign two pieces of paper I had to deliver one to the school physically sign the paper. Another one four miles away at the municipal school district headquarters I got there, there was a line of about 20 people, and I said well I just have a piece of paper to drop off here, and the last person turned and said we all just have a paper to drop off here but they have to make a photocopy of it, and suddenly it struck me that in fact everything that I had been experienced in that process, except for the photocopying, was identical to the 1950s. I mean nothing had changed except in the 1960s you started getting photo Xerox machines in the US school system, so you could actually make a photocopy, so I get you say that. To illustrate where we are in most countries when it comes to digitization, we took a different route. I want by the way mention what it’s like to register a car; usually takes one to two days sometimes three unless you buy a new car, and then the dealership does it for you, which I had to finally do, but what we did in Estonia just for background. I mean why we did what he did was, I mean, we emerged out of the miasma of the Soviet Union in 1991 re-emerged because we had been independent in 1938, the last full year before the World War two, Estonia and our linguistic cousins across the bay or the Gulf. It had the same GDP per capita when we became independent again, the difference between GDP in GDP per capita between our two countries was 13-fold, and we were still basically operating with no infrastructure except for military infrastructure all roads that were built during the Soviet period were for military purposes, and so looking at this awful situation everyone people came up with all kinds of plans, and what I proposed since I had been taught in a real fluke concerned serendipitous events, I learned to program at age 14. I said well why don’t we teach kids how to use computers, which we start embarked upon in 95, 96. By 97, 98 all schools were online schools and had labs, which we opened to the public after school hours so other people could learn to use computers. Keep in mind everyone is poor so they can’t buy computers, but they do have access to them, and this by this time we sort of gotten this sort of a thinking of well maybe digitization really is the way to go for the country, but we realized somewhere around the late nineties that we could do it differently, because ultimately we were worried even then about security, and what that meant, and we do have a neighbor next to us, that’s very big and probably very good at causing problems in the digital realm. The US has discovered later on, so we thought long and hard about how to what it is that we need to do, and one of the things we came to very quickly was the fundamental issue of cybersecurity for the population is identity who you are. I mean we all know the old New Yorker cartoon on the internet. Well it’s actually the fundamental problem of cybersecurity is that if you don’t know who you’re talking to, you don’t know—in fact this is where it differs from what I’ll talk about later on the kinetic world of warfare—you don’t even know if it’s in your own who you’re talking to, and so what we realize is that we must start off with a strong digital identity, and this is what one of the key axioms I would argue for any for the future of digital security, and so of course that sounds good theoretically, what that meant in policy terms was that in 2001 we offered everyone living in Estonia at that time permanent residents a unique chip based digital identity card. That was where communication was ensured with two-factor authentication with end-to-end encryption, and I said we did this because realized even then that the primary model of email address plus password it was not going to last for long in fact today there is no password that can’t be broken in the sort of email plus password paranoid through brute force hacking, so if you don’t have two factor authentication you might as well give up, and this already means that on most transactions that you do in life, in most countries, you can’t be sure of anything we did that at I mean in order to do this we did this with a chip card, plus a code I’m just where the people are really interested in this we see in many places. Today two-factor authentication is slowly coming in. Apple author uses it. Google uses it. The problem with two-factor authentication the way it’s done. In most places for example at Stanford that has become the norm, because of a big hack several years ago, is that the s7 protocol, which governs the communication between mobile phone communications, has been hacked, is hackable, and in fact the first case of a big hack was the loss of three million euros by a German bank to this spring that did use two-factor authentication using a mobile phone second factor. So that was how we started off. We did this on a public private sort of partnership basis, because every interaction has to be authenticated, and the oath in the verification or certification of each transaction is done by a 50/50 public/private partnership between Center that is a paid for by the government, half by a consortium of banks the this what we I mean the second step was that all this that using a two-factor authentication, with a highly encrypted public key infrastructure and encryption meant that we could offer all people living in the country genuine security at least I mean starting from the premise that nothing is completely secure at least far more secure than the kind of security that most people enjoy in most places we have been using until we found out that the that Infineon produced a 1/4 law chip RSA 2048 we did a patch I mean I guess unlike most companies and most countries we actually said we had a problem with the chip and now we’ve gone over from RSA to an elliptical encryption I should say that other countries that use the same chip unfortunately have not been very open about it. We were now the keys that I mean going back to the 2001 we did one more step which is actually a key to make creating a functioning digital society in which again what’s places have not undertaken at all which is that we gave the identity legal efficacy, that is, you can sign legal documents online with this system that means hooking it up to a national registry. This causes howls of indignation from the five eyes countries also or the Anglosphere, UK counter to the United States, New Zealand, Australia, say we will never have a digital identity let alone any kind of legal efficacy, which I always find kind of odd because in fact the United States UK Canada, et cetera, all offer passports in which the state says you are you all we’re doing is saying the state is saying who are you to enable legal transactions digitally as opposed to having it in a physical passport. The use of our system and here we have I mean the card in here this is behavioral economics is that we make it mandatory to have a card you never have to use it, but you must have one, why do we do that because uptake rates of digital identities in most countries, or today in Europe all countries must issue or offer digitally, and as the uptake rates are 15 to 25%, the early adopters are the ones who take out apartment. We decided we would make it mandatory because no services will develop either in the public sector, where different ministries should be developing things, or in the private sector, which would have an interest in this, unless they know that well they want to if they think that 85% of the population can’t even use this service, so I mean we have things such as digital prescriptions we sure use actually. Today by 99 percent of the population you don’t ever have a paper prescription you call your doctor and renew your prescription, or your doctor writes it in and when you go see him those things don’t happen no one takes the effort to develop those kinds of systems unless you have the private sector, and the public sector assure that basically everyone can use this, so these are; this is for laying the groundwork for digital society, and of course what makes our bank transactions secure instead of what I find here is that you do have it is all card but base chip based. We need a full mobile phone or a or your card, we don’t have cheques in Estonia. In fact, I don’t quite, and I read recently how one system works here is that you can. We have electronic banking so you go online you do something in the bank, prints a paper check, and then mails it. This is not a digital society I would argue.
I’m just giving it how much time do I have still okay I don’t I mean I can go on I basically had argued that a state-guaranteed ID it seems to be the main stumbling block in most countries for a secure digital society again my argument, is that this is simply something that in a democratic society that is responsible for the security of a citizens. It must offer this. I mean you may not want to go the full step that we did, that you make and manage, but then you basically assume that digital services at least on the part of the government will not take off. I just read last night a perfect example of why a democratic government that wants input from a citizens needs a digital identity in the ongoing debate on net neutrality. The FCC got over a million. I mean like many federal agencies that ask people’s opinion, it got a million fake or bizarre, losing on non-existent comments against net neutrality, and I don’t know how many got in favor of maintaining net neutrality, but unless you I mean unless you can log on and be you as a citizen of the United States commenting on impending regulations, then what’s the point of asking anyone? In fact, some I guess 400,000 of the comments came from Russia. I mean this is not how you run a democracy, or at least this is not how you do open government soliciting opinions from your citizens, and we have the same system in our country where on various issues we ask people’s opinion, but you have to do it by saying who you are, if you don’t say who you are there’s no point. I mean I don’t want to get into issues of anonymity and how crucial that is, or how crucial it may not be, and how it may be, ultimately a victim of our lack of cybersecurity in the cyber realm, but nonetheless I would say that without a secure identity the functioning of a democracy becomes—I would maintain—stymied.
Now the second thing we did just to talk about how we have put security into the system is designing a very different architecture from what is usually used. Most big countries or most governments have used centralized databases the OPM hack 15 million or 23 million US federal government, employees including CIA NSA personnel, including their personnel personals are the psychological profiles were hacked as you probably know two years ago. Doesn’t even matter who did it the fact is that they had all of this stuff easily accessible and in clear text that wasn’t even encrypted, which I would find again kind of unconscionable not to mention the kind of hack we saw with Equifax, but what we realized quickly is that we could not have a centralized, central database for purely economic reasons in the late 90s everyone was going after big central servers, you know, we being sort of where we were. What we had done was that every ministry every agency every company had its own servers using different systems and also with a great degree of sort of independence, but at least arrogance they were little fiefdom and so in trying to figure this problem out. We had some mathematicians of ours; came out with a distributed data exchange layer which we call X Road, in which everything is connected to everything through the authentication of your identity, which basically the idea is that if your identity gives you the wall and the moat, then in most of a castle most systems once you breach the moat and the wall you’re in, and everything is open to you in our system. If you breach the moat and the wall you’re still stuck in a room—one room one person—you can get everything you can get something for that one person, but you can’t get the rest of the citizenry to make it work. Since its low high can we put on that video it’s just a three-minute video, just to give my throat a break and a little commercial break to show how our system works
Running a modern state is a data centered endeavor. Ensuring the functioning of the state requires administering very large quantities of data. Estonia lacks a centralized or master database data is stored where it is created. Each agency administers its own data separately, and data is not duplicated at the same time state authorities, and agencies need data outside their per views in order to function, for example the police constantly require information from the population register. Likewise, the unemployment insurance fund depends on information from the health information system. How can authorities securely exchange important data? First, the data must be easily accessible by the authorities that are authorized to use it. Second, the integrity of the data must be maintained. No third party should be able to make any changes to the data while it is in transit third the data must remain confidential during its journey. It must be protected from the eyes of unauthorized parties the X Road is a data exchange platform that fulfills all three of these requirements. The X Road makes life simpler for both the state and the citizens. For example, when a child is born, information about the birth is sent directly from the hospital to the population register. From there it is sent automatically to the Health Insurance Fund so that the child will have health insurance and a family physician. This prevents the creation of excessive paperwork and saves time. The state functions in the background. The X Road helps authorities make work processes more convenient. Many activities can be automated, which frees employees to deal with matters that require human involvement. Authorities also don’t have to worry about the authenticity of data. They can be confident that data received from the Tax Board, definitely originated from the actual tax board. Additionally, the X Road can be used regardless of what technology and authority uses for the state. The X road above all makes it possible for authorities to efficiently exchange data among themselves. Sensitive information moves securely, and the system itself is so resilient that it cannot be easily brought down by those with malicious intentions.
Since the birth of X Road in 2001, the system has operated continuously without interruption. The X Road helps the state see the big picture of how different authorities are connected to one another. In addition, the X Road makes it possible to exchange data not only within the country but also across national borders. That is of course if databases and information systems are working properly. The biggest beneficiaries of the X Road are of course the citizens. They enjoy the benefits of a better functioning state and save all of the time they would otherwise spend submitting papers and forms. How much time during the time it took you to watch this animation, the X road saved around 240 working hours in Estonia. It changes the nature of bureaucracy for the first time since it was invented 5000 years ago either in Mesopotamia or China. Bureaucracies have always been a parallel I mean a serial process especially when you want permission to do something you apply with the piece of paper. The paper goes to one agency and goes to another agency, say to think about establishing a business, I mean you have to check if all the board members have paid their taxes. Someone else has .checked if they pay their alimony Someone else has to check if anyone’s ever bankrupt. So it just takes quite a long time. This makes processing of bureaucratic processing parallel, and in fact which speeds things up. Establishing a business in my country takes about 15 minutes because all of those queries are answered simultaneously the system also allows for greater transparency in reduction of corruption, because basically decisions are made by checking the boxes rather than by having an official who uses his discretion to decide whether you get something that you are entitled to or not. I don’t mean entitlements per se. If I want permission to dig a hole I have to apply to my municipality just to make sure that there’s no water down there, or there’s no electrical cable. Now you know a lot of countries, if you apply then you know you should get the permission, but there’s an official there saying well you know you get it if you slipped me five, whatever it is that you have to pay and whatever currency. These kinds of decisions are made automatically. The best result however this is we’ve applied a once only rule which means that the government may not ask you for any information. It already has. I mean once you’re identified you no longer have to write your address down again. Your telephone number any of that stuff, but this is all of course done online, and the system has now been adopted from us. We give it away as foreign aid by a number of countries. This platform was kind of foreign aid on a thumb drive, Finland probably most prominently. We now are jointly developing this. It’s all open-source, non proprietary software. Mexico was adopting it. Panama’s taking it over. Moldova has had it for a while. Georgia, kind of. I mean countries vary on how much they do this. Oman, we gave it to the Palestinian Authority, but they never used it, so it really depends, but again what this does allow us for, from the point of view of the citizen, is go and do things that traditionally have not happened at all. We will as next year have cross-border interoperability of digital prescription, so a fin coming this Estonia baguettes has too good a time we could eight million fins Liuzza’s medicine. He can then call or write his doctor in north of the Arctic Circle. The doctor will then renew his prescription. He will take his Finnish ID, plug it into any pharmacy, put in his identifying numbers, and he will get his medicine. I proposed this five years ago to the Finnish president; next year will be six years since I proposed it. That is how long it takes. The technology would probably as in most cases take about three days to do all of these, since my mantra is, if it’s political will, policies, laws, and regulations, it has taken that long to go anywhere further on digital security.
Before I move on to the big picture is we have the big issue in Europe, which, especially since Snowden, has been privacy. And privacy of course is very important. I would argue this system allows far more privacy than than the current system, but it doesn’t require a certain degree of trust, which is why we don’t have back doors, because if we had back doors, you wouldn’t have trusted, then no one used the system. But the real issue to my mind has been really data integrity. I may not like it if someone publishes my bank account or my blood type, if someone changes my blood type or the record of my blood type, or if someone changes my bank account number or contents, that’s a disaster. So, what we have done is put all citizen data, critical citizen data—health records, property records, law cases— because now they’re all digital, and you wouldn’t want those changed. We put them all on blockchain. It’s interesting enough, since there’s all the public sector. It’s all on our private blockchain because if it’s a public one, it’ll take forever to work. It was Bitcoin, but it’s on a private blockchain, and administered by the, government which then means that you can’t change these data. The other thing that we have done, which for security in addition to all this, is that as a small nation that’s been invaded about 20 times in the last thousand years, we do worry about our data, or I mean we actually based on the experience of Japan which lost about five percent of its of data in the Fukushima incident, we have now established a data embassy, applying the Vienna Convention on extraterritoriality of diplomatic representations. We have given our big server diplomatic status. It’s in Luxembourg. There will be others so that if we happen to have, I mean we won’t have any bad seismic events most likely because it’s fairly calm. I mean if I were Greece, I would certainly do something similar, right? I mean not a happy place for seismic events, but certainly you want to keep your data elsewhere with a non-issue for the United States. The US is huge. you don’t have to worry about keeping your data in several different places, but for smaller countries you probably do need to think about these things.
I will add a final thing. At the national level, what we do is that we have a prohibition of unabated software. All you have to do is look at Wannacry, which took down the UK’s entire National Health Service because the UK, being too cheap, did not update I guess this version of Windows. They were using Microsoft, stopped updating since 2009. The UK and Microsoft made a special deal to keep it up I guess to 2013, but even that lapsed, and then this in 2017 you have the Wannacry ransomware which shut down the medical system of a big European country. We can’t allow this series again. I think a fundamental issue that needs to be dealt with, both in the private and the public sector, is that you cannot have legacy software. In other words, you must think of software as an operating cost, a running cost. Most companies and most countries think of software as a as a capital investment, right? It is not like a car. It’s not as if you bought a car two years ago, you don’t need another one for three. You must always keep your software up-to-date, or as in the Equifax case, when they were identified of a vulnerability in February, they didn’t bother patching it until after they were breached. I mean these are things that if you’re not going to get companies to observe that, and if governments don’t observe that, you’re going to have to legislate this. Certainly in the case of Europe, the application of the new general data protection regulation will force US companies at least in Europe to worry about patching things or what happens to citizens data, because these fine is going to be four percent of a company’s revenue worldwide, which is no small thing people may complain and moan about. The regulations of the European Union, personally I think after Equifax there’s nothing you can say about that. I mean it’s a more surprise that there’s been so little of a citizen outcry on all of this then. There has been just as unsurprised that all kinds of things such as what happens to data in this country or in a number of European countries and its use, for example Cambridge analytic because use of data, it is bought in creating highly targeted, highly granular ads in the last election, probably also in the UK Brexit referendum. I think that these are all issues that will need to be addressed. They’re political issues that are not there yet.
I will now like to move on just quickly to the International part of this, which is that while I agree with Joe on the need for conventions. There’s only one convention that works at this point, and that’s the Budapest Convention on cybercrime, originally was the Council of Europe Convention, which then acceded to by liberal democracies in the US, Canada, Mexico, Japan, Australia. They then decided to call it the Budapest Convention because it was no longer a Council of Europe thing. The problem with that convention, but which may also lead the way to future thinking, is that there are whole host countries that have not acceded to the Budapest convention, most prominently China, Russia, and Belarus. I don’t know I think Ukraine is somewhere in between because Ukraine until at least starting up till the end of the Yanukovych regime was also a primary source of all kind of cybercrime.
But rather I’d direct attention to a fundamental conundrum of cybersecurity at the international level that we need to address, which is that our thinking about security since the first rock by a hominid pre-human homonym was thrown to kill another pre-human hominid has been connect distance-based force equals mass times acceleration m/s squared meters no longer matter in security these days. Distance does not matter; all of our security thinking up to the present has been based on the concept of distance, therefore geography. I mean think about what is the primary security organization that we have. I mean, if we who are in it, but it’s the North Atlantic Treaty Organization countries that share all of the values of the countries of the North Atlantic Treaty Organization, such as New Zealand, Australia, Japan, I can name a whole bunch. They are not in the North Atlantic Treaty Organization simply because they’re not in the North Atlantic, and all the work of the North Atlantic Treaty Organization is based on things such as tankless—tx fighter range, bomber range, troop movement, logistics. It’s all distance based. Today all of these threats have nothing to do with distance. Borders are breached without being noticed. On top of that, the threats will take just one apt twenty-eight fancy bear—I mean the various names have been given to it—they’ve hacked the Bundestag. They’ve hacked the Italian Foreign Ministry. They’ve done all kinds of things in Netherlands, Sweden, Ukraine, even the world a world anti-doping agency has been hacked by AP. This one group of probably GRU hackers of course did hack the DNC. I should point out here that David Langer at least told me that, of the 126 people working at the DNC with access to the DNC server, 124 were actually using two-factor authentication. Two were not. Guess how the DNC server got hacked anyway. The point is that our ways of looking at things in this site in the digital era just have to change, that we have to think about security not in terms of geography. We have to realize that the threats can hit all over, and that perhaps what is at risk are our forms, the government ways of organizing society. Certainly that’s the case. What we’ve seen that is the case? We’ve seen in the last year or so not only attempts to derail the U.S. elections, but we now know better that with the Brexit campaign, you know that in France McCombs server was hacked. The French, having learned from the DNC, were smart. They actually loaded their email server with obvious fakes, so that when they were doxed, the doxers published things that were so obviously fake that it disqualified virtually everything, even what was perhaps potentially embarrassing. Nonetheless I would say that we do have to, while these individual actions, might we said we should learn from these individual actions, and think about how we should guarantee our security in the future and think about working together a lot more.
Our own experience with this was not very good. In 2007 we had—I guess the from now on every history of cyber warfare will begin with—the April May 2007 attacks on Estonia. They were DDoS attacks, which so that meant our systems were never breached; they would just shut off from people. At the time NATO was loath to admit that this had been going on. Slowly people came around and realized that’s that this was a clause of an event of attenuation of policy by other means, and ultimately what we had been asking for for years, which was a center of excellence in Tallinn, which produced the Italian manual. One and two was established in my country, but even NATO took a while to get there, so sort of the traditional model of, you know, someone breaches the border, and then there’s an article 5 decision made at the knack; doesn’t really hold, because in a cyber event you know you don’t have problems with attribution. You don’t know what the proper response is. We’re just not ready for that or have not been ready for that, but nonetheless we see the security situation has decreased to such a level that even our democratic systems seem to be under threat, that we have to start thinking in multilateral terms.
As I mentioned we do have the Budapest Convention on cybercrime, which kind of leads the leads, gives us an idea that like-minded nations have agreed that they will work against cybercrime, will give out criminals from their territory. It’s been used to great effect in a number of countries, where one country identifies a hacker in another country and fall. According to the Budapest Convention, they are then extradited. We see that other areas don’t work so well, as Joe mentioned, Hungary has failed this year. That’s because of all, even during the ITU discussions about five years ago, already then a set of like-minded countries China, Belarus, Russia, as it were basically arguing for what would amount the censorship of the web, because their definition of information security is not devoted to hacking, do not restrict to something to hacking other people’s infrastructure. It includes freedom of speech, and that’s clearly something that liberal democracies are not willing to put up with, so what I mean another example of fairly successful cooperation that also might lead the ways, that is the possession of the NATO center in Thailand, because while it was originally open only to NATO countries, it is now open to other like-minded nations. Finland a valid lien on NATO member cads is a member. Japan basically has asked us you know how could we join. Said fine I mean it’s a long decision-making process there, but if we have seen with threatening both at the level of infrastructure, at the level of privacy, at the level of of our democratic processes, we will have to develop—at least among liberal democracies—some kind of defensive mechanisms, among them international cooperation. At this point or perhaps until about two weeks ago, there has been no real cooperation within NATO. I mean this NATO idea of Cyprus appears only to deal with this, security of the organization, not the members or the allies, but just the organization, thinking is moving beyond that. But maybe it’s not gone far enough. I do think we will have to face up to the reality that liberal democracies are under threat, that the mechanisms for attacking liberal democracies are no longer merely kinetic, and that we have to start working toward some kind of serious organization for cybersecurity, for liberal democracies, that as the attacks transcend geographical boundaries so that from New Zealand and Australia to Finland and Estonia, countries will share information. it’s going to be a long time. Cyber information in even within NATO, as I said, is more a matter of it follows the espionage paradigm, where you don’t share anything as opposed to the interoperability paradigm of, you put a US missile under a French Mirage jet. I mean in that sense of interoperability in fact it’s one of our experiences. When we discovered some malware, we went to NATO and said “oh look what we found.” NATO said “oh you go to an ally.” That’s not how you do cybersecurity frankly, so I would argue and close with, that we do need to think about these things, but I will close with two small points. One of them is that we hear everywhere all this talk about we need backdoors. We’ve seen the Prime Minister of Australia, the Minister, the Commissioner of Justice for the European Union, the Minister of Home Affairs in the UK, the US Attorney General also argue for backdoors. I don’t understand that issue. Frankly, why you would want to do that, or maybe because it comes from not understanding technology. Basically, as soon as you have a backdoor, that becomes the Holy Grail, the Holy Grail for the people, because it’s one-stop shopping. Why would you want to try to hack anyone if there is a hackable, and Isis use the term broadly hackable key, a backdoor somewhere, and we need not think only in terms of smart people hacking a key as which would say smart people have done, and we know CIA and NSA have been hacked, but you don’t even need that. I mean the worst cases of breaches have been insider threats. I mean Scott Sagan just put out a really, I mean a whole collection of insider threats, but if you think about what’s one of the worst case. It’s Snowden that was not, and no one breached NSA. He was an insider threat. Reality Winner, that bizarrely named woman, who just gave out an NSA document on Russian attempts to hack voting machines, again an insider job. Now if I take not to criticize the United States, I’ll just say I’m in the European Union; five hundred million people, the Commissioner for Justice says okay, it gets their wish, and the wishes to have a backdoor key. Now if I’m Vladimir Putin or someone else, I would say okay I don’t have to pack anything; I just need the key. I can get into everything, and instead of trying to get in there through digital electronic means, I would just find out who the key master is, say I give you two billion euros. I mean eventually you find someone who’s going to risk all for that, so let’s stay away from back door keys is my point. In this regard I should say that Estonia, which the ITU—that nefarious organization—certainly is the most secure in terms of cybersecurity in Europe. Russia is the most secure in Eurasia. China is the most secure in Asia. The only difference is that the freedom house also rated as Estonia as number one in the world in freedom online, which disputes the argument that you need to be repressive in order to have security in cyberspace, but ultimately everything boils down to my mind to a brilliant essay—well it wasn’t that brilliant—but the ideas in it were brilliant, that was written 68 years ago, 1959. 62 years ago I tired jet lag by CP snow, called The Two Cultures, which I think was not nearly as relevant when it was published as it is today CB snow was a physical chemist and a literary novelist who gave the world the term the corridors of power in one of his novels, but he added this great little essay, whereas he said not so great. But here’s an essay about being at the faculty dining club in his College in Cambridge, sitting with the court of the quantum, sitting with the physical chemist, the physicists, the other chemists, discussing presumably quantum mechanics, and then he would getup after dinner and go drink with the poets, and the SAS, and the novelists, and the Shakespeare scholars. He says that you can’t. He was the only one who could move between the two tables. The poets and essayist had no clue about physics and the physicists, and the chemists couldn’t care less about literature, and he said this is a problem of the university. I would argue that today it’s the problem of society, be back then technology did not impinge upon people’s lives the way it does now. Your phone did not tell anyone where you were. It was plugged into the wall. The most you had to do, your television could not look at you. And despite the you know sort of Orwell being published already ten years earlier, but you know you didn’t need to put a little thing in front of your computer to keep the computer from looking at you or listening to you. The most you interact with technology perhaps was to set the timing on your distributor cap, which is something that most people under 40 don’t even know what it is. So it was a different world. Today technology impinges upon us everywhere, yet people do not understand the problems. The technologists do not understand the ethical, legal, moral, philosophical basis of a liberal democracy. You know many cases, and the people who are responsible for the legal system do not have a clue about IT on the one hand. Right after the iPhone came out one of the early apps could find out where you traveled, so I downloaded the app and I got this map of where I’d been, all based on the S7 protocol that says where the mobile phone has been: big fat lines where I traveled a lot and thinner gray ones where I didn’t. I showed it to a security detail. They said they got white and they said eliminate that immediately, said what’s the point I mean the data exists, right? Someone else can have it. And then again in nineteen in 2014 in the fall, I went to the European Parliament. They have a five-year term; it was half a year after their most recent election. I gave a talk about digital stuff, trying to tell them how important it is that you act. They know something about it, and as a kind of show-and-tell moment I pulled out my mobile phone and I said, you know this thing here—you all have one; everyone had one of course—I said well your next election is a four and a half years. That’s three iterations of Moore’s law. That means this same thing, by the time of your next election, will be two to the third (2^3) times more powerful, and this is an audience of 40 or so members of parliament. Interestingly someone said what is 2 to the 3rd? Now if this is the level of understanding on the one side by people who make laws and policies, and on the other side by the people who design and create this technology, then we have a serious problem, and so my ultimate request isthat for genuine cybersecurity, what you really need is people, the policy makers and law makers learning something about math and science, and the people who do all the g-wiz things that we deal with take a course in Western philosophy.
Thank you very much.